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MEMORANDUM  FOR  DIRECTOR,  DEFENSE  CONTRACT  AUDIT  AGENCY 

SUBJECT:  Report  on  Hotline  Allegation  Regarding  Lack  of  Agency  Guidance  on  the 
Currency  of  Audit  Testing  in  the  Defense  Contract  Audit  Agency 
(Report  No.  D-201 1-6-011) 

We  are  providing  this  report  for  your  information  and  use.  We  reviewed  a  DoD  Hotline 
complaint  and  substantiated  the  allegation  that  the  Defense  Contract  Audit  Agency 
(DCAA)  lacks  written  guidance  and  agency-wide  policy  regarding  the  need  to  perform 
current  testing  of  data  during  audits  of  contractor  systems.  We  recommend  that  the 
Director,  DCAA,  develop  written  agency-wide  policy  and  guidance  on  current  audit 
testing  to  ensure  that  DCAA  auditors  obtain  sufficient  evidence  to  provide  a  reasonable 
basis  for  the  conclusion  that  is  expressed  in  audits  of  contractor  business  and  internal 
control  systems.  By  November  2011,  DCAA  plans  to  issue  guidance,  which  will  include 
the  requirement  for  auditors  to  perform  sufficient  testing  of  data  that  is  relevant  to  the 
audit  objectives,  to  perform  testing  of  data  generated  by  the  system  throughout  the  period 
under  audit,  and  to  issue  timely  audit  reports. 

We  considered  management  comments  on  a  draft  of  this  report  when  preparing  the  final 
report.  The  Defense  Contract  Audit  Agency  comments  conformed  to  the  requirements  of 
DoD  Directive  7650.3;  therefore,  additional  comments  are  not  required. 

We  appreciate  the  courtesies  extended  to  the  staff.  Please  direct  questions  to 

Ms.  Carolyn  R.  Davis  at  (703)  604-8877  (DSN  664-8877)  or  carolvn.davis@dodig.mil. 

'''Randolph  R.  Stone,  SES 
Deputy  Inspector  General 
Policy  and  Oversight 


Report  No.  D-20 11-6-011  (Project  No.  D2010-DIP0AI-01 17.000) 


September  21,  2011 


Results  in  Brief:  Hotline  Allegation 
Regarding  Lack  of  Agency  Guidance  on  the 
Currency  of  Audit  Testing  in  the  Defense 
Contract  Audit  Agency 


What  We  Did 

We  reviewed  the  DOD  Hotline  complaint 
alleging  that  the  Defense  Contract  Audit 
Agency  (DCAA)  lacks  written  guidance  and 
agency-wide  policy  regarding  the  need  to 
perform  current  testing  of  data. 

What  We  Found 

We  substantiated  the  allegation  that  DCAA 
does  not  have  any  written  guidance  or 
agency-wide  policy  regarding  the  need  to 
perfonn  current  testing  of  contractor  data 
during  audits  of  contractor  business  systems. 
In  addition,  we  found  that  each  regional 
office  in  DCAA  has  their  own  rule  of  thumb 
as  to  what  they  consider  to  be  current  audit 
testing  and  when  retesting  is  required.  We 
found  that  the  data  tested  by  the  auditor 
from  reports  dated  September  21,  2008,  was 
no  longer  current  and  did  not  meet  the  field 
work  standard  in  generally  accepted 
government  auditing  standards  (GAGAS) 
which  requires  auditors  to  obtain  sufficient, 
appropriate  evidence.  It  would  be  desirable 
to  have  written  agency- wide  audit  policy 
and  guidance  from  DCAA  Headquarters  to 
ensure  consistency  among  the  regions  and 
field  audit  offices,  and  to  ensure  that 
auditors  obtain  sufficient  evidence  to 
provide  a  reasonable  basis  for  the  conclusion 
that  is  expressed  in  the  audit  report. 


What  We  Recommend 

We  recommend  the  DCAA  Director  develop 
written  policy  and  guidance  to  ensure  that 
DCAA  auditors  comply  with  GAGAS  by 
obtaining  sufficient  evidence  to  provide  a 
reasonable  basis  for  the  conclusion  that  is 
expressed  in  audits  of  contractor  business 
and  internal  control  systems.  Specifically, 
the  agency-wide  written  policy  and  guidance 
should  require  auditors  to  perfonn  sufficient 
testing  of  current  data  and  testing  of  data 
generated  by  the  system  throughout  the 
period  under  audit.  Further,  the  guidance 
should  require  auditors  to  perform  retesting 
or  expand  testing  if  the  data  tested  is  no 
longer  current. 

Management  Comments 
and  Our  Response 

In  responding  to  the  June  20,  2011  draft  of 
this  report,  the  Director,  DCAA  agreed  with 
our  findings  and  recommendations. 
Therefore,  no  additional  comments  are 
required.  Please  see  the  recommendations 
table  on  the  following  page. 

United  States  Department  of  Defense 
Office  of  Inspector  General 
Report  No.  D-201 1-6-011 
(Project  No.  D2010-DIP0AI-01 17.000) 

September  21,  2011 
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Introduction 


Objective 

We  conducted  this  review  to  determine  whether  the  complainant’s  allegation  received  by 
the  DOD  Hotline  could  be  substantiated.  The  complainant  alleged  that  the  Defense 
Contract  Audit  Agency  does  not  have  any  written  guidance  or  agency-wide  policy 
regarding  the  need  to  perform  current  testing  of  contractor  data. 

See  Appendix  A  for  details  of  our  scope  and  methodology. 

Background 

Defense  Contract  Audit  Agency  (DCAA) 

In  accordance  with  DOD  Directive  5105.36,  DCAA  performs  contract  auditing  and 
provides  accounting  and  financial  advisory  services  in  connection  with  the  negotiation, 
administration  and  settlement  of  contracts  and  subcontracts.  DCAA  operates  under  the 
authority,  direction,  and  control  of  the  Under  Secretary  of  Defense  (Comptroller). 

Organizationally,  DCAA  includes  a  Headquarters,  Field  Detachment,  and  five  regions: 
Central,  Eastern,  Mid-Atlantic,  Northeastern,  and  Western.  Each  region  has  several  field 
audit  offices. 

Government  Accountability  Office  (GAO) 

GAO  issued  two  reports  addressing  the  requirement  that  auditors  perform  sufficient 
testing  to  express  an  opinion  on  the  subject  under  audit,  including  one  in  July  2008 1  and 
the  other  in  September  2009. 2  These  reports  noted  that  generally  accepted  government 
auditing  standards  require  auditors  to  perform  sufficient  testing  and  obtain  sufficient 
evidence  to  express  an  opinion  on  the  subject  matter.  The  2009  report  found  audit  quality 
problems  at  DCAA  offices  nationwide,  including  insufficient  audit  testing  on  its  internal 
control  reviews.  The  report  notes  that  DCAA’s  secondary  objective  on  audits  of 
contractor  systems  and  controls  is  to  determine  the  degree  of  reliance  that  can  be  placed 
on  the  contractor’s  internal  controls  as  a  basis  for  planning  the  scope  of  other  related 
audits.  The  report  found  that  33  of  the  37  internal  control  audits  did  not  include 
sufficient  testing  of  internal  controls  to  support  auditor  conclusions  and  opinions.  DCAA 
uses  the  results  of  contractor  systems  and  internal  control  audits  to  assess  risk  and  plan 
the  nature,  extent,  and  timing  of  tests  for  other  contractor  audits  and  other  assignments. 


1  Report  No.  GAO-08-857,  “DCAA  AUDITS:  Allegations  That  Certain  Audits  at  Three  Locations  Did  Not 
Meet  Professional  Standards  Were  Substantiated,”  July  22,  2008. 

2  Report  No.  GAO-09-468,  “DCAA  AUDITS:  Widespread  Problems  with  Audit  Quality  Require 
Significant  Reform,”  September  23,  2009. 
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Generally  Accepted  Government  Auditing  Standards 

As  a  Government  audit  organization,  DCAA  must  comply  with  applicable  generally 
accepted  government  auditing  standards  (GAGAS)  issued  by  the  Comptroller  General  of 
the  United  States.  GAGAS  incorporates  the  standards  issued  by  the  American  Institute  of 
Certified  Public  Accountants.  The  DCAA  Contract  Audit  Manual  (CAM)  prescribes 
auditing  policies  and  procedures  for  performing  audits  in  support  of  the  DCAA  mission. 
The  CAM  incorporates  GAGAS  into  its  guidance. 

DOD  Instruction  7600.2  dated  April  27,  2007,  “Audit  Policies,”  requires  that  all 
independent  audit  and  attestation  engagements  of  DOD  organizations,  programs, 
activities,  and  functions  be  conducted  in  accordance  with  GAGAS  as  issued  by  the 
Comptroller  General  of  the  United  States.  GAGAS  provides  the  framework  for  auditors 
to  perfonn  high-quality  audit  work  with  competence,  integrity,  objectivity,  and 
independence.  Under  GAGAS,  auditors  must  prepare  audit  documentation  in  sufficient 
detail  to  provide  a  clear  understanding  of  the  work  perfonned,  including  the  nature, 
timing,  extent,  and  results  of  audit  procedures  performed;  the  evidence  obtained  and  its 
source;  and  the  conclusions  reached.  The  audit  documentation  should  contain  support  for 
the  report’s  findings,  conclusions,  and  recommendations. 

GAGAS  6.04b  requires  the  auditor  to  obtain  sufficient  and  appropriate  evidence  to 
provide  a  reasonable  basis  for  the  conclusion  that  is  expressed  in  the  report.  The 
evidence  provided  in  the  report  is  more  helpful  if  it  is  current. 
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Finding 

Lack  of  Agency  Guidance  on  the  Currency  of  Audit 
Testing 

We  substantiated  the  allegation  that  DCAA  does  not  have  any  written  guidance  or 
agency-wide  policy  regarding  the  need  to  perfonn  current  testing  of  transactions  during 
audits  of  contractor  business  and  internal  control  systems. 

Allegation 

The  complainant  alleged  that  DCAA  lacks  any  written  guidance  or  agency- wide  policy 
regarding  the  “currency”  of  audit  testing  which  is  causing  audit  reports  on  contractor 
business  system  reviews  to  be  delayed  as  a  result  of  retesting. 

Background 

In  addressing  the  allegation,  the  auditor  described  an  incident  whereby  he  completed  an 
audit  of  the  contractor’s  earned  value  management  system  (EVMS)  for  compliance  with 
certain  earned  value  management  guidelines.  During  a  review  of  the  draft  report  in 
November  2009,  the  DCAA  Eastern  Region  determined  that  the  data  reviewed  by  the 
auditor  was  not  current  and  required  the  auditor  to  retest  the  data.  The  complainant 
alleged  that  the  lack  of  written  agency  policy  or  guidance  regarding  the  need  to  perfonn 
current  testing  led  the  Eastern  Regional  Director  to  require  retesting. 

The  auditor  reviewed  and  tested  the  most  current  Contract  Performance  Reports  dated 
September  21,  2008  that  were  available  at  the  time  the  audit  started  in  December  2008. 
During  the  course  of  the  audit,  all  transactions  tested  by  the  auditor  came  from  the 
September  21,  2008  reports.  The  auditor  completed  the  audit  in  August  2009.  The 
supervisory  auditor  completed  his  review  in  November  2009  and  submitted  the  draft 
report  for  review  to  the  DCAA  Eastern  Region  Technical  Programs  Division. 

On  November  9,  2009,  the  Eastern  Regional  Technical  Programs  Specialist  telephoned 
the  supervisory  auditor  and  told  him  that  she  would  like  the  auditor  to  perform  “current” 
testing  on  more  recent  Contract  Perfonnance  Reports.  The  auditor  stated  that  he  selected 
the  most  current  Contract  Perfonnance  Reports  available  at  the  start  of  the  audit.  At  that 
time,  no  written  guidance  or  policy  related  to  a  6-,  9-,  or  12-month  testing  policy  existed. 
However,  the  data  tested  was  no  longer  current  by  the  time  the  audit  was  completed.  To 
be  sufficient  and  current,  evidence  supporting  the  audit  opinion  should  be  reasonably 
current  as  of  the  date  of  the  audit  report. 

The  Eastern  Regional  Technical  Programs  Specialist  was  concerned  with  the  “age”  of  the 
Contract  Perfonnance  Reports  and  related  transaction  testing  performed  by  the  auditor. 
The  specialist  noted  in  an  email  dated  November  13,  2009  that  the  reports  tested  were 
dated  September  21,  2008.  The  email  stated  that  it  is  DCAA’s  position  that  testing  in  a 
system  review  be  as  current  as  possible.  However,  there  is  no  written  agency-wide  policy 
regarding  DCAA’s  position.  In  addition,  the  specialist  stated  that  it  is  the  Eastern 
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Regional  Director’s  position  based  upon  discussions  held  in  DCAA  Executive  Steering 
Committee  meetings  that  the  data  tested  should  be  within  a  six-  to  nine-month  period 
prior  to  the  issuance  of  the  audit  report. 

On  November  16,  2009,  a  teleconference  was  held  between  the  Regional  Special 
Programs  and  Resident  Office.  It  was  noted  that  there  is  no  written  policy  that  an  audit 
report  must  be  issued  six  to  nine  months  after  the  date  of  the  data  being  audited  in  a 
system  audit.  The  Eastern  Regional  Special  Programs  Manager  requested  that  the  auditor 
update  the  testing  on  the  system  findings  to  current  Contract  Performance  Reports. 

On  November  17,  2009,  a  Program  Manager  from  Headquarters,  now  retired,  emailed  the 
Eastern  Regional  Technical  Programs  Specialist  and  said  that  the  testing  should  be 
updated  if  it  is  more  than  12  months  old. 

On  November  18,  2009,  the  Eastern  Regional  Director  decided  that  the  testing  should  be 
updated  for  transactions  that  were  tested  and  are  older  than  nine  months.  As  a  result  of 
the  lack  of  written  agency  policy  or  guidance,  the  Eastern  Regional  Director  directed  the 
auditor  to  perform  additional  testing  and  detennine  if  the  original  deficiencies  were  still 
at  issue.  Subsequently  the  Regional  Audit  Manager  advised  the  Resident  Auditor  that  the 
opinion  stated  in  the  audit  report  cannot  be  based  on  testing  perfonned  on  contractor 
Contract  Performance  Report  data  from  September  2008. 

Our  Review 

We  obtained  and  reviewed  the  statements  made  by  the  auditor,  Resident  Office  and 
Regional  management,  Eastern  Regional  Technical  Programs  Specialist,  and  the  Director 
of  the  Eastern  Region.  Additionally  we  researched  applicable  regulations,  DCAA 
Contract  Audit  Manual  (CAM),  and  DCAA  agency  policies.  The  complainant  performed 
all  of  his  testing  from  the  Contract  Performance  Reports  dated  September  21,  2008.  The 
data  tested  was  one  year  old  by  the  time  the  complainant  completed  the  audit.  The 
auditor  did  not  obtain  sufficient  evidence  to  provide  a  reasonable  basis  for  the  conclusion 
that  is  expressed  in  the  report.  The  evidence  was  not  sufficient  because  the  evidence  was 
not  current.  Therefore,  the  Eastern  Region  required  the  auditor  to  retest  using  current 
data. 

We  substantiated  the  allegation  that  DCAA  does  not  have  written  guidance  or  agency¬ 
wide  policy  related  to  the  “current”  testing  of  data.  We  agree  that  the  lack  of  written 
agency-wide  policy  or  guidance  regarding  “current”  testing  led  the  Eastern  Regional 
Director  to  make  a  decision  that  the  auditor  must  perform  additional  testing.  All  resident 
audit  office  and  regional  office  managers  we  interviewed  stated  that  DCAA  does  not 
have  any  guidance  or  agency-wide  policy  regarding  the  need  to  perfonn  “current”  testing 
during  audits  of  contractor’s  internal  control  and  business  systems.  The  Chief,  Technical 
Programs  Division  from  each  DCAA  region  all  agreed  that  guidance  and  agency-wide 
policy  from  DCAA  Headquarters  is  needed  to  regulate  testing  of  current  data  to  assist 
auditors  in  obtaining  sufficient  appropriate  evidence  to  support  conclusions  in  audits  of 
contractor  internal  controls  and  business  systems. 
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Regional  Offices 

We  found  that  the  lack  of  written  guidance  or  agency-wide  policy  resulted  in  inconsistent 
practices  among  the  DCAA  regional  offices.  We  contacted  the  Chief,  Technical 
Programs  Division  for  each  region.  Each  Chief  stated  that  the  data  tested  should  be 
current.  However,  the  regions  are  using  different  criteria  to  determine  when  retesting 
would  be  required  before  providing  an  opinion  on  the  contractor’s  business  or  internal 
control  systems.  We  asked  the  Chief,  Technical  Programs  Division  from  each  region  the 
question:  “When  would  retesting  be  required  because  the  data  tested  is  too  old  to  give  an 
audit  opinion  on  the  business  or  internal  control  system?”  We  received  inconsistent 
answers  as  noted  in  Table  1  (below). 


Table  1.  Region  Responses  on  Data  Retesting 


Region 

Retesting  would  be  required  if  the  data  tested 
were  older  than  the  following  period 

Eastern 

Older  than  9  months 

Northeastern 

Older  than  12  months 

Central 

Older  than  6  months 

Western 

Older  than  12  months 

Mid-Atlantic 

Older  than  9  months 

Field  Detachment 

Older  than  9  months 

The  lack  of  written  guidance  and  agency-wide  policy  from  DCAA  Headquarters  has 
created  inconsistent  treatment  among  the  five  regions  and  the  Field  Detachment.  All 
regions  agree  that  an  opinion  must  be  provided  based  on  data  that  is  relatively  current. 
Written  guidance  and  policy  from  DCAA  Headquarters  is  expected;  but,  no  written 
policy  has  been  provided.  Written  guidance  and  agency-wide  policy  would  advise 
auditors  of  the  requirement  to  perform  “current”  testing  to  obtain  sufficient  evidence  to 
provide  a  reasonable  basis  for  the  conclusion  that  is  expressed  in  the  report. 

Headquarters 

The  Chief,  Auditing  Standards  Division,  DCAA  Headquarters  acknowledged  that  DCAA 
does  not  have  a  written  policy  stating  a  specific  time  frame  beyond  which  testing  in 
audits  of  contractor  business  systems  would  be  considered  outdated.  Based  on  current 
DCAA  policy,  audit  reports  on  contractor  systems  are  relied  on  by  DCAA  as  a  basis  for 
assessing  control  risk  in  related  audits  for  a  period  of  two  to  four  years  assuming  no 
changes  to  the  system.  DCAA  Headquarters  believes  that  the  appropriate  exercise  of 
professional  judgment  would  generally  dictate  that  to  be  sufficient  and  appropriate,  the 
evidence  supporting  the  audit  opinion  should  be  reasonably  current  as  of  the  date  of  the 
audit  report.  As  a  general  rule,  when  DCAA  Headquarters  receives  questions  regarding 
this  issue,  they  advise  regions  and  field  audit  offices  that  testing  should  generally  be  no 
more  than  9  to  12  months  old  when  the  audit  report  is  issued.  However,  DCAA 
Headquarters  has  not  provided  any  written  guidance  or  policy  on  the  subject. 
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DCAA  Memorandum  for  Regional  Directors  (09-PAS-020(NR)),  dated  October  9,  2009, 
stated  that  new  guidance  is  expected  to  be  issued  in  the  second  quarter  of  FY  2010  for 
audits  of  contractors’  billing  systems  and  audits  of  contractors’  control  environment  and 
overall  accounting  systems.  We  are  not  aware  that  DCAA  Headquarters  issued  any  new 
guidance  as  mentioned  in  this  memorandum. 

Applicable  Criteria 

In  performing  its  audits,  DCAA  states  that  it  follows  generally  accepted  government 
auditing  standards  (GAGAS).  GAGAS  1.23a  covering  examination-level  engagements 
require  that  auditors  obtain  sufficient,  appropriate  evidence  to  provide  a  reasonable  basis 
to  express  an  opinion  on  whether  the  subject  matter  is  based  on  (or  in  conformity  with) 
the  criteria  in  all  material  respects.  Also,  GAGAS  6.04b  requires  the  auditor  to  obtain 
sufficient  evidence  to  provide  a  reasonable  basis  for  the  conclusion  that  is  expressed  in 
the  report.  The  evidence  provided  in  the  report  is  more  helpful  if  it  is  current. 

•  The  Government  Accountability  Office  (GAO)  Report  GAO-09-468  found  that 
33  of  37  internal  control  audits  it  reviewed  did  not  include  sufficient  testing  of 
internal  controls  to  support  auditor  conclusions  and  opinions.  The  GAO  found 
that  an  auditor  tested  only  two,  three,  or  sometimes  five  transactions  to  support 
audit  conclusions.  In  another  instance,  an  auditor  tested  four  vouchers  that  were 
all  processed  on  the  same  day  out  of  the  8-month  period  covered  by  the  audit. 

The  GAO  report  states,  for  internal  control  audits  which  are  relied  on  for  2  to  4  years  and 
sometimes  longer,  the  auditors  would  be  expected  to  test  a  representative  selection  of 
transactions  across  the  year  and  not  transactions  for  just  one  day,  one  month,  or  a  couple 
of  months.  An  auditor  should  use  a  population  covering  a  12-month  period  if  the 
assignment  is  designed  to  cover  a  1-year  period. 

Further,  the  GAO  report  found  that  6  of  the  37  audit  reports  were  not  issued  at  the  time 
the  work  was  completed.  Because  testing  was  not  updated  or  was  not  sufficiently 
updated,  the  reported  audit  opinions  which  related  to  controls  at  the  time  the  reports  were 
issued,  were  not  adequately  supported  and  may  have  been  inaccurate.  GAO 
recommended  that  DCAA  revise  DCAA  audit  policy  and  update  DCAA’s  CAM  as 
appropriate,  to  provide  appropriate  guidance  on  what  constitutes  sufficient  testing  to 
comply  with  GAGAS. 

The  complainant,  in  providing  an  opinion  on  the  contractor’s  EVMS,  reviewed  only  those 
Contract  Perfonnance  Reports  dated  September  21,  2008.  The  complainant  had  17 
findings  and  prepared  a  90-page  audit  report.  He  reviewed  13  earned  value  management 
guidelines  on  two  different  earned  value  management  systems  at  Northrop  Grumman 
Naval  Shipyard.  One  system  is  on  the  nuclear  aircraft  carrier  and  the  other  system  is  on 
the  nuclear  submarine.  The  complainant  audited  the  Contract  Perfonnance  Reports 
issued  on  both  systems.  The  draft  report  was  sent  to  the  Eastern  Region  for  review  in 
November  2009.  As  a  result,  the  Eastern  Regional  Director  required  the  auditor  to  update 
the  testing  to  review  current  contract  performance  reports.  We  do  not  disagree  with  the 
Regional  Director’s  decision.  The  auditor  should  have  tested  a  representative  selection  of 
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transactions  across  the  year  and  not  just  transactions  from  reports  issued  on  just  one  day. 
We  observed  that  for  very  large  projects  such  as  this,  the  data  tested  will  never  be  current 
unless  such  audits  are  scoped  and  resourced  adequately.  This  particular  audit  only  had 
two  auditors  assigned.  Cost  Performance  Reports  are  submitted  monthly  for  the  nuclear 
aircraft  carrier  and  are  submitted  quarterly  for  the  nuclear  submarine.  The  data  tested  by 
the  auditor  was  not  current  and  did  not  consist  of  sufficient  appropriate  evidence  to 
provide  a  reasonable  basis  for  the  audit  conclusion. 

We  substantiated  the  complainant’s  allegation  that  there  is  no  written  agency-wide  policy 
or  guidance  regarding  the  need  to  perform  testing  of  “current”  data  to  support  an  opinion 
of  the  contractor’s  system.  We  recommend  that  DCAA  Headquarters  develop  written 
agency-wide  policy  and  guidance  on  the  need  to  test  current  data  to  support  opinions  on 
the  contractor’s  internal  controls  and  business  systems.  The  policy  and  guidance  should 
include  criteria  when  the  auditor  should  expand  testing  and  perfonn  additional  work. 


Recommendation,  Management  Comments,  and  Our 
Response 

1.  We  recommend  that  the  Director,  Defense  Contract  Audit  Agency, 

Develop  written  policy  and  guidance  to  ensure  DCAA  auditors  comply  with 
generally  accepted  government  auditing  standards  by  obtaining  sufficient 
evidence  to  provide  a  reasonable  basis  for  the  conclusion  that  is  expressed  in 
audits  of  contractor’s  internal  controls  and  business  systems.  Specifically, 
the  written  policy  and  guidance  should  include  the  requirement  for  auditors 
to  perform: 

(a)  Sufficient  testing  of  current  data. 

(b)  Testing  of  data  generated  by  the  system  throughout  the  period 
under  audit. 

(c)  Retesting  or  expand  testing  if  the  data  tested  is  no  longer 
current. 

Management  Comments 

The  Director  concurred.  By  November  2011,  DCAA  will  issue  guidance,  which  will 
include  the  requirement  for  auditors  to  (i)  perform  sufficient  testing  of  data  that  is 
relevant  to  the  audit  objectives,  including  the  period  or  point  in  time  covered  by  the 
report,  (ii)  perform  testing  of  data  generated  by  the  system  throughout  the  period  under 
audit,  and  (iii)  issue  timely  audit  reports.  For  audits  of  contractor  business  systems, 
DCAA  will  perfonn  compliance  attestation  engagements  and  report  on  the  contractor’s 
compliance  during  a  period  of  time  or  as  of  a  point  in  time,  consistent  with  the  applicable 
attestation  reporting  standards  (AT  601.55b)  in  AICPA’s  Statements  on  Standards  for 
Attestation  Engagements.  Circumstances  where  auditors  would  need  to  expand  testing  to 
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obtain  sufficient  evidence  for  the  conclusions  expressed  in  the  report  should  be  limited 
since  the  transactions  being  evaluated  in  the  audit  will  coincide  with  the  defined  period 
covered  by  the  audit.  DCAA  agrees  with  the  guidance  in  GAGAS  A8.02g,  that  the 
evidence  provided  in  the  report  is  more  helpful  if  it  is  current  and,  therefore,  timely 
issuance  of  the  report  is  an  important  reporting  goal  for  auditors. 

Our  Response 

The  comments  are  responsive  and  no  further  comments  are  required.  We  will  monitor 
the  effectiveness  of  the  new  guidance  and  the  timeliness  of  audit  reports.  The  timely 
issuance  of  audit  reports  on  contractor  business  systems  is  essential  to  the  success  of  the 
new  agency  policy.  Audits  of  contractor  business  systems  should  be  current  and  audit 
reports  on  contractor  business  systems  should  be  issued  timely  to  protect  the  taxpayer’s 
interests. 
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Appendix.  Scope  and  Methodology 

The  review  was  conducted  in  accordance  with  the  Council  of  the  Inspectors  General  on 
Integrity  and  Efficiency  “Quality  Standards  for  Inspection  and  Evaluation.”  To 
determine  the  validity  of  the  Hotline  complaint  addressed  in  this  report,  we: 

•  interviewed  the  complainant,  Eastern  Region’s  supervisor,  resident  auditor, 
regional  audit  manager,  and  regional  technical  programs  specialist,  and  obtained 
additional  documents  related  to  the  complaint; 

•  obtained  inquiry  from  Headquarters  and  Regional  offices,  DCAA; 

•  reviewed  applicable  DCAA  policies  and  procedures,  such  as  the  Defense 
Contract  Audit  Manual,  and  audit  programs;  and 

•  reviewed  applicable  GAGAS. 

We  performed  this  review  from  April  2010  through  May  2011. 


Use  of  Computer-Processed  Data 

We  did  not  rely  on  any  computer-processed  data  as  part  of  our  review. 

Prior  Coverage 

During  the  last  5  years,  the  GAO  and  the  Department  of  Defense  Inspector  General 
(DOD  IG)  have  issued  3  reports  related  to  the  requirement  that  DCAA  auditors  perform 
sufficient  testing  to  express  an  opinion  on  the  subject  under  audit.  Unrestricted  GAO 
reports  can  be  accessed  over  the  Internet  at  http://www.gao.gov.  Unrestricted  DOD  IG 
reports  can  be  accessed  at  http://www.dodig.mil/audit/reports. 

GAO 

Report  No.  GAO-09-468,  “DCAA  Audits:  Widespread  Problems  with  Audit  Quality 
Require  Significant  Reform,”  September  23,  2009 

Report  No.  GAO-08-857,  “DCAA  Audits:  Allegations  That  Certain  Audits  at  Three 
Locations  Did  Not  Meet  Professional  Standards  Were  Substantiated,”  July  22,  2008 


DOD  IG 

Report  No.  D-2009-6-009,  “Defense  Contract  Audit  Agency  Audit  Work  Deficiencies 
and  Abusive  Work  Environment  Identified  by  the  Government  Accountability  Office,” 
August  31,  2009 


9 


Defense  Contract  Audit  Agency  Comments 


DEFENSE  CONTRACT  AUDI  I  AGENCY 
DEPARTMENT  OF  DEFENSE 
8725  JOHN  J.  KINGMAN  ROAD,  Sill  IT.  205 
PORT  Ull.VOIR.  VA  220WMj21*> 


OFFICE  OF  THE  DIRECTOR 

July  20, 20  H 

MEMORANDUM  FOR  DEPARTMENT  OF  DEFENSE,  OFFICE  OF  INSPECTOR 

GENERAL.  DEPUTY  INSPECTOR  GENERAL  FOR  POLICY 
AND  OVERSIGHT 

ATTENTION:  Mr.  Randolph  R.  Stone 

SUBJECT:  Response  to  Department  of  Defense  Office  of  Inspector  General  (DoDIG)  Draft 

Report,  Hotline  Allegation  Regarding  Lack  of  Agency  Guidance  on  the  Currency  of 
Audit  Testing  in  the  Defense  Contract  Audit  Agency ,  dated  June  20,  201 1  (Project 
No.  D2010-DIPOA1-01 17.000) 

Thank  you  for  the  opportunity  to  respond  to  the  subject  draft  report.  Hotline  Allegation 
Regarding  Lack  of  Agency  Guidance  on  the  Currency  of  Audit  Testing  in  the  Defense  Contract 
Audit  Agency  The  following  arc  DCAA’s  comments  and  responses  to  each  of  the 
recommendations. 

Allegation:  The  complainant  alleged  that  DCAA  lacks  any  written  guidance  or  agency-wide 
policy  regarding  die  •‘currency”  of  audit  testing,  which  is  causing  audit  reports  on  contractor 
business  system  reviews  to  be  delayed  as  a  result  of  retesting. 

DoDIG  Recommendation  l.a:  We  recommend  that  the  Director,  Defense  Contract  Audit 
Agency,  develop  written  policy  and  guidance  to  ensure  DCAA  auditors  comply  with  generally 
accepted  government  auditing  standards  by  obtaining  sufficient  evidence  to  provide  a  reasonable 
basis  for  the  conclusion  that  is  expressed  in  audits  of  contractor’s  internal  controls  and  business 
systems.  Specifically,  the  written  policy  and  guidance  should  include  (a)  the  requirement  for 
auditors  to  perform  sufficient  testing  of  current  data. 

DCAA  Response:  Concur  in  principle.  By  November  2011,  DCAA  will  issue  guidance,  which 
will  include  the  requirement  for  auditors  to  perform  sufficient  testing  of  data  that  is  relevant  to 
the  audit  objectives,  including  the  period  or  point  in  time  covered  by  the  report.  Please  see  our 
response  to  Recommendation  1  c  for  further  explanation. 

DoDIG  Recommendation  l.b:  We  recommend  that  the  Director.  Defense  Contract  Audit 
Agency,  develop  written  policy  and  guidance  to  ensure  DCAA  auditors  comply  with  generally 
accepted  government  auditing  standards  by  obtaining  sufficient  evidence  to  provide  a  reasonable 
basis  for  the  conclusion  that  is  expressed  in  audits  of  contractor's  internal  controls  and  business 
systems.  Specifically,  the  written  policy  and  guidance  should  include  (b)  the  requirement  to 
perform  testing  of  data  generated  by  the  system  throughout  the  period  under  audit. 
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SUBJECT:  Response  to  Department  of  Defense  Office  of  Inspector  General  (DoDIG)  Draft 

Report,  Hotline  Allegation  Regarding  Lack  of  Agency  Guidance  on  the  Currency  of 
Audit  Testing  in  the  Defense  Contract  Audit  Agency,  dated  June  20, 201 1  (Project 
No.  D2010-DIP0AI-Q1 1 7.000) 

DCAA  Response:  Concur.  By  November  2011,  DCAA  will  issue  guidance  tha!  will  include 
the  requirement  for  auditors  to  perform  testing  of  data  generated  by  the  system  throughout  the 
period  under  audit. 

DoDIG  Recommendation  l.c:  We  recommend  that  the  Director.  Defense  Contract  Audit 
Agency,  develop  written  policy  and  guidance  to  ensure  DCAA  auditors  comply  with  generally 
accepted  government  auditing  standards  by  obtaining  sufficient  evidence  to  provide  a  reasonable 
basis  for  the  conclusion  that  is  expressed  in  audits  of  contractor’s  internal  controls  and  business 
systems.  Specifically,  the  written  policy  and  guidance  should  include  (c)  the  requirement  to 
perform  retesting  or  expand  testing  if  the  data  tested  is  no  longer  current. 

DCAA  Response:  Concur  in  principle.  By  November  2011,  DCAA  will  issue  guidance  that 
will  address  the  testing  needed  to  obtain  sufficient,  appropriate  evidence  to  provide  a  reasonable 
basis  for  the  conclusions  expressed  in  the  report.  That  guidance  will  require  sufficient  testing  of 
data  relevant  to  the  audit  objectives,  including  the  period  or  point  in  time  covered  by  the  report. 
The  guidance  will  also  emphasize  the  need  to  issue  a  timely  audit  report. 

However,  DCAA  is  adopting  a  new  approach  for  auditing  business  systems  that  will 
determine  compliance  with  the  criteria  established  by  the  DEARS  interim  rule  on  contractor 
business  systems  in  lieu  of  opining  on  the  overall  effectiveness  of  the  contractor’s  internal 
controls.  DCAA  will  perform  compliance  attestation  engagements  and  report  on  the  contractor's 
compliance  during  a  period  of  lime  or  as  of  a  point  in  time,  consistent  with  the  applicable 
attestation  reporting  standards  (AT  601 .55b).  Under  these  conditions,  circumstances  where 
auditors  would  need  to  expand  testing  to  obtain  sufficient  evidence  for  the  conclusions  expressed 
in  the  report  should  be  limited  since  the  transactions  being  evaluated  in  the  audit  will  coincide 
with  the  defined  period  covered  by  the  audit.  The  attestation  standards  for  compliance 
examination  engagements  require  auditors  to  consider  two  types  of  events  that  occur  after  the  end 
of  the  period  addressed  by  the  report  and  prior  to  the  issuance  of  the  report.  Those  events  include 

( 1 )  events  that  provide  additional  information  about  compliance  during  the  reporting  period  and 

(2)  noncompliance  that  occurs  subsequent  to  the  period  being  reported  on  but  before  the  date  of 
the  report  (AT  601 ,50  -  601 ,52).  Our  guidance  on  the  new  approach  will  be  consistent  with  those 
standards. 

We  agree  with  the  guidance  in  GAGAS  A8.02g,  that  the  evidence  provided  in  the  report 
is  more  helpful  if  it  is  current  and.  therefore,  timely  issuance  of  the  report  is  an  important 
reporting  goal  for  auditors.  We  are  considering  procedures  that  will  alleviate  some  of  the 
barriers  to  timely  issuance  of  reports  on  contractor  business  systems.  Such  procedures  include 
adopting  a  team  approach  when  performing  large  complex  business  system  audits,  considering 
various  methods  that  would  leverage  and  align  our  limited  resources  with  more  focused  business 
system  audits,  and  providing  real-time  information  to  contracting  officers  when  deficiencies  in 
contractors’  business  systems  are  identified. 
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SUBJECT:  Response  to  Department  of  Defense  Office  of  Inspector  General  (DoDIG)  Draft 

Report,  Hotline  Allegation  Regarding  Lack  of  Agency  Guidance  on  the  Currency  of 
Audit  Testing  in  the  Defense  Contract  Audit  Agency,  dated  June  20.  201 1  (Project 
No.  D2010-D1P0AI-01 1 7.000) 


Questions  regarding  this  memorandum  should  be  directed  to  Mr.  Ken  Saccoccia, 
Assistant  Director,  Policy  and  Plans  Directorate,  at  (703)  767-3280. 


Director 
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